Analysis Overview
SHA256
4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59
Threat Level: Known bad
The file 4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-28 21:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-28 21:54
Reported
2024-08-28 21:56
Platform
win7-20240708-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe" | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2856 set thread context of 1412 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe
"C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
Files
memory/2560-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp
memory/2560-1-0x0000000074BB0000-0x000000007515B000-memory.dmp
memory/2560-2-0x0000000074BB0000-0x000000007515B000-memory.dmp
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 2ad21242f1f34f03e74cefb084afbb58 |
| SHA1 | 327e3e27e29c970e2ada0bb230f60e883ed371e0 |
| SHA256 | 1e71177ba0e6349f7ae66a87f9f0fdfc0d64261f8ec17bc7b1647101b0d202ec |
| SHA512 | 887c004ffc3e10148647e49c37220a2ec412abf674d72c33037ed9790d01e56d69ea6de5cb392286e160f0b3bb3aae0e3b9e740a18d9b568e1ff5255e6d0501b |
memory/2856-16-0x0000000074BB0000-0x000000007515B000-memory.dmp
memory/2560-15-0x0000000074BB0000-0x000000007515B000-memory.dmp
memory/2856-17-0x0000000074BB0000-0x000000007515B000-memory.dmp
memory/2856-24-0x0000000074BB0000-0x000000007515B000-memory.dmp
memory/1412-23-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1412-21-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1412-18-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2856-25-0x0000000074BB0000-0x000000007515B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-28 21:54
Reported
2024-08-28 21:56
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe" | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4936 set thread context of 3660 | N/A | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe
"C:\Users\Admin\AppData\Local\Temp\4ecf642efaacb2436c6c50d67b4c13b412223e03c288318b6dbd06f3f142cf59.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
Files
memory/1672-0-0x0000000074DD2000-0x0000000074DD3000-memory.dmp
memory/1672-1-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1672-2-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1672-6-0x0000000074DD2000-0x0000000074DD3000-memory.dmp
memory/1672-7-0x0000000074DD0000-0x0000000075381000-memory.dmp
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 82e61fa3333137de7cd58074f75cb9e2 |
| SHA1 | 3b1d69cbd18790e86d6a7a9253e1fa5dd8d06cd1 |
| SHA256 | f72a48973e8b7caeabdf97f4c232bab0850c913b3996d60c32211f9f8e414e24 |
| SHA512 | 62c94644e689b217ecc359256238787ed050134a5612552a2791be356e31136566d5dbd72439d4bf44777f63751b9967c64aeb98aa3193ad55bd890495d26c3f |
memory/1672-19-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4936-21-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1672-20-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4936-22-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/3660-23-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/3660-28-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4936-27-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/3660-29-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/3660-30-0x0000000074DD0000-0x0000000075381000-memory.dmp